<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Document</title>
</head>

<body>
    <script>
        // “标签模板”的一个重要应用，就是过滤 HTML 字符串，防止用户输入恶意内容。
        let message =
            SaferHTML `<p>${sender} has sent you a message.</p>`;

        function SaferHTML(templateData) {
            let s = templateData[0];
            for (let i = 1; i < arguments.length; i++) {
                let arg = String(arguments[i]);

                // Escape special characters in the substitution.
                s += arg.replace(/&/g, "&amp;")
                    .replace(/</g, "&lt;")
                    .replace(/>/g, "&gt;");

                // Don't escape special characters in the template.
                s += templateData[i];
            }
            return s;
        }

        // 上面代码中，sender变量往往是用户提供的，经过SaferHTML函数处理，里面的特殊字符都会被转义。
        
    </script>
</body>

</html>